Section 222 of the Telecommunications Act of 1996 authorizes the Federal Communications Commission ("FCC") to impose restrictions on telecommunications carriers regarding the access, use, and disclosure of customer information.[1] Before this Act, carriers could simply sell customer data to any third-party marketer without customers’ consent.

In 2015, the FCC issued an order called the “Open Internet Order,” which essentially subjected broadband providers, such as Comcast and Verizon, to the same regulations as telephone providers.[2] In 2016, the FCC went even further by issuing an order focused on privacy and customer information, specifically tailored towards Internet Service Providers (ISPs) like Comcast and Verizon (the “Order”). The Order is officially entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” but it is often referred to as “Internet Privacy Rules.”[3]

What did the Order do?

The Order enumerated what consumer information is considered “sensitive,” and provided a privacy framework that focused on transparency, consumer choice, and data security.[4]Under the Order, sensitive customer personal information included financial information, health information, Social Security numbers, precise geo-location information, information pertaining to children, content of communications, web browsing history, application usage history, and the functional equivalents of web browsing history or application usage history.[5] Notably, voice services, such as call detail information, were also considered sensitive information.[6]

As for the privacy framework, the “transparency” provision of the Order required ISPs to provide to consumers clear and accurate privacy notices about how they collect and to whom they distribute sensitive consumers information.[7] The “consumer choice” provision of the Order mandated that ISPs obtain customers’ opt-in approval for use and sharing of sensitive consumer personal information, and opt-out approval for the use and sharing of non-sensitive consumer information.[8] The Order also required customers’ opt-in approval for material retroactive changes to carriers’ privacy policies. The “data security” provision required ISPs to protect and safeguard customers’ personal information that they collect and maintain.[9] Therefore, the Order significantly heightened protection for sensitive customer information and, ultimately, prohibited ISPs from tracking and selling sensitive customers’ personal information to third-party marketers without customers’ permission.[10]

Did the Order have any shortcomings and what is its current status?

The Order was criticized from its inception on various grounds. Some have criticized the Order on a jurisdictional basis, arguing that the FCC usurped part of the Federal Trade Commission’s role in overseeing broadband privacy.[11] Others have argued that the order singled out ISPs, but it excluded giant tech companies, such as Google and Facebook, which were already engaged in data mining and selling of customers’ information to third-party marketers.[12]

On March 28, 2017, the United States Congress voted on a resolution to repeal the Order, and the resolution passed, to a large extent along party lines.[13] President Donald Trump signed the resolution on April 3, 2017, which completed the repeal process before the Order even went into effect.[14]

What does this mean for the privacy of consumer information?

Since the Order never went into effect, consumers’ privacy is not at risk any more than it was before the Order was issued. Furthermore, many ISP providers have voluntarily committed to not sharing sensitive consumer information with third-party entities.[15]

Nevertheless, it is important to recognize that the repeal of the Order could have a drastic impact on consumers’ privacy because ISPs are uniquely positioned to collect sensitive consumer information. While other tech companies, like Facebook and Google, do engage in data mining about their consumers, consumers do have some control over their privacy, at least in theory, as consumers can choose which websites or platforms they want to use. Moreover, consumers can disable location services if they want to, so tech companies will not have access to their precise geo-location. When it comes to ISPs, consumers in many areas do not have as much choice in terms of choosing a provider and, more importantly, ISPs are uniquely positioned to collect precise geo-location information because they can determine where phones are connected to their cell towers. The repeal of the Order, therefore, can further reduce consumers’ privacy.

Does the repeal have any implications under the US Constitution?

While commentators continue to debate the commercial aspects of the repeal, it is unclear whether the repeal will have any implications under the Fourth Amendment of the United States Constitution.

The Fourth Amendment restricts the Government’s ability to violate privacy by collecting and seizing private information from people. The Fourth Amendment provides that “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause.”[16] The main test for analyzing the privacy protected by the Fourth Amendmentcomes from Justice Harlan's concurrence in Katz v. United States, wherein Justice Harlan articulated a two-prong test for analyzing Fourth Amendment issues: First, a person must exhibit an actual (subjective) expectation of privacy. Second, the expectation must be one that society is prepared to recognize as “reasonable.”[17]

As noted earlier, the Order contained a privacy framework focused on transparency, consumer choice with respect to opting in and out, and data security. As such, the Order would clearly enhance reasonable expectations of privacy in the enumerated sensitive consumer information provided to ISPs. Absent the privacy framework contained in the Order, an expectation of privacy in sensitive information is likely unreasonable. Because of that, the “Mosaic Theory” of the Fourth Amendment that was implicitly endorsed by the United States Supreme Court,[18] will be immensely important in the future. Under the Mosaic Theory, even if an individual does not have a reasonable expectation of privacy in individual information, it might have such expectation in collection of information.[19] That is because the government can infer private information about a person by analyzing an entire collection of non-private information that, only in the aggregate, can paint a mosaic about a person. Since ISPs can collect large amounts of data about their customers , they can construct revealing “mosaics” about their customers. Notably, under the Stored Communications Act, a component of the Electronic Communications Privacy Act of 1986, the government may order ISPs to turn over data about their customers using only a court order or an administrative subpoena.[20] Absent the enhanced reasonable expectations of privacy offered by the now-repealed Order, the Mosaic Theory thus constitutes the most important Constitutional limitation on the government’s ability to obtain and use ISP data moving forward, but the scope of such limitation remains somewhat unclear.[21]

[1]47 U.S. Code § 222.

[2]In re Protecting and Promoting the Open Internet, 30 FCC Rcd. 5601 (2015). These rules are intended to protect what is generally referred to as “net neutrality”.